sh3-server 0.8.2 → 0.9.1

package/dist/doc-store/store.js

@@ -0,0 +1,336 @@
+/**
+ * TenantDocStore — single entry point for tenant-document operations.
+ *
+ * Owns the write pipeline: version bump (primary) or pending (replica),
+ * policy-resolved syncMode caching, reserved-metadata filter, tick advance,
+ * conflict bucket on Mode B mismatch. Consumed by the docs HTTP router
+ * and by the ServerShardContext.documents(tenant) API.
+ */
+import { readFile, writeFile, mkdir, rm, readdir, stat } from 'node:fs/promises';
+import { readdirSync, existsSync } from 'node:fs';
+import { dirname, join, relative } from 'node:path';
+import { resolveSyncMode } from './policy.js';
+import { filterReservedMeta } from './reserved.js';
+import { readMeta, writeMeta } from './meta.js';
+export class TenantDocStore {
+    #dataDir;
+    #policy;
+    #tick;
+    roles;
+    #conflicts;
+    constructor(deps) {
+        this.#dataDir = deps.dataDir;
+        this.#policy = deps.policy;
+        this.#tick = deps.tick;
+        this.roles = deps.roles;
+        this.#conflicts = deps.conflicts;
+    }
+    /** Root filesystem directory this store reads/writes under. */
+    get dataDir() { return this.#dataDir; }
+    /** Synchronous tenant enumeration for shard-ctx's `tenants()` entry point. */
+    listTenantsSync() {
+        const root = join(this.#dataDir, 'docs');
+        if (!existsSync(root))
+            return [];
+        return readdirSync(root, { withFileTypes: true })
+            .filter((e) => e.isDirectory())
+            .map((e) => e.name);
+    }
+    /**
+     * Persist `__sync__/policy.json` for a tenant and refresh the cached
+     * `syncMode` on every existing doc so subsequent reads match the new
+     * policy without a restart.
+     */
+    async writePolicy(tenant, policy) {
+        const p = join(this.#dataDir, 'docs', tenant, '__sync__', 'policy.json');
+        await mkdir(dirname(p), { recursive: true });
+        await writeFile(p, JSON.stringify(policy, null, 2));
+        this.#policy.invalidate(tenant);
+        const all = await this.listAll(tenant);
+        for (const entry of all) {
+            const meta = await readMeta(this.#dataDir, tenant, entry.shardId, entry.path);
+            if (!meta)
+                continue;
+            const newMode = resolveSyncMode(policy, entry.path);
+            if (meta.syncMode !== newMode) {
+                await writeMeta(this.#dataDir, tenant, entry.shardId, entry.path, { ...meta, syncMode: newMode });
+            }
+        }
+    }
+    // ---------- path helpers ----------
+    #contentPath(tenant, shardId, path) {
+        return join(this.#dataDir, 'docs', tenant, shardId, path);
+    }
+    // ---------- reads ----------
+    async read(tenant, shardId, path) {
+        try {
+            return await readFile(this.#contentPath(tenant, shardId, path), 'utf-8');
+        }
+        catch (err) {
+            if (err?.code === 'ENOENT')
+                return null;
+            throw err;
+        }
+    }
+    async readMeta(tenant, shardId, path) {
+        return readMeta(this.#dataDir, tenant, shardId, path);
+    }
+    async exists(tenant, shardId, path) {
+        try {
+            await stat(this.#contentPath(tenant, shardId, path));
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async list(tenant, shardId) {
+        const root = join(this.#dataDir, 'docs', tenant, shardId);
+        return this.#enumerate(root, root, tenant, shardId);
+    }
+    async listAll(tenant) {
+        const root = join(this.#dataDir, 'docs', tenant);
+        const out = [];
+        let entries;
+        try {
+            entries = await readdir(root, { withFileTypes: true });
+        }
+        catch (err) {
+            if (err?.code === 'ENOENT')
+                return [];
+            throw err;
+        }
+        for (const e of entries) {
+            if (!e.isDirectory())
+                continue;
+            if (e.name.startsWith('__'))
+                continue; // reserved
+            const shardDir = join(root, e.name);
+            for (const m of await this.#enumerate(shardDir, shardDir, tenant, e.name)) {
+                out.push({ ...m, shardId: e.name });
+            }
+        }
+        return out;
+    }
+    async #enumerate(current, base, tenant, shardId) {
+        const out = [];
+        let entries;
+        try {
+            entries = await readdir(current, { withFileTypes: true });
+        }
+        catch (err) {
+            if (err?.code === 'ENOENT')
+                return out;
+            throw err;
+        }
+        for (const e of entries) {
+            const full = join(current, e.name);
+            if (e.isDirectory()) {
+                out.push(...(await this.#enumerate(full, base, tenant, shardId)));
+                continue;
+            }
+            const rel = relative(base, full).split(/[/\\]/).join('/');
+            const s = await stat(full);
+            const meta = await readMeta(this.#dataDir, tenant, shardId, rel);
+            out.push({
+                path: rel,
+                size: s.size,
+                lastModified: s.mtimeMs,
+                ...(meta ?? {}),
+            });
+        }
+        return out;
+    }
+    // ---------- policy / tick passthroughs ----------
+    async getTick(tenant) {
+        return this.#tick.get(tenant);
+    }
+    async readPolicy(tenant) {
+        return this.#policy.get(tenant);
+    }
+    invalidatePolicy(tenant) {
+        this.#policy.invalidate(tenant);
+    }
+    // ---------- Mode A write ----------
+    async write(tenant, shardId, path, content, metadata) {
+        const role = this.roles.get(tenant);
+        const policy = await this.#policy.get(tenant);
+        const syncMode = resolveSyncMode(policy, path);
+        const prev = await readMeta(this.#dataDir, tenant, shardId, path);
+        const prevKnown = typeof prev?.lastKnownVersion === 'number' ? prev.lastKnownVersion : 0;
+        let version;
+        let syncState;
+        let lastKnownVersion;
+        if (role === 'primary') {
+            version = prevKnown + 1;
+            lastKnownVersion = version;
+            syncState = 'synced';
+        }
+        else {
+            // replica
+            version = prevKnown;
+            lastKnownVersion = prevKnown;
+            syncState = syncMode === 'local-only' ? 'synced' : 'pending';
+        }
+        // Write content first.
+        const cp = this.#contentPath(tenant, shardId, path);
+        await mkdir(dirname(cp), { recursive: true });
+        await writeFile(cp, content);
+        // Then metadata.
+        const custom = filterReservedMeta(metadata);
+        const mergedMeta = {
+            ...custom,
+            version,
+            syncMode,
+            syncState,
+            lastKnownVersion,
+        };
+        await writeMeta(this.#dataDir, tenant, shardId, path, mergedMeta);
+        if (role === 'primary')
+            await this.#tick.bump(tenant);
+        return { version, syncState };
+    }
+    // ---------- Mode A delete ----------
+    async delete(tenant, shardId, path) {
+        const role = this.roles.get(tenant);
+        const prev = await readMeta(this.#dataDir, tenant, shardId, path);
+        const prevKnown = typeof prev?.lastKnownVersion === 'number' ? prev.lastKnownVersion : 0;
+        // Remove content.
+        try {
+            await rm(this.#contentPath(tenant, shardId, path));
+        }
+        catch (err) {
+            if (err?.code !== 'ENOENT')
+                throw err;
+        }
+        let version;
+        let syncState;
+        let lastKnownVersion;
+        if (role === 'primary') {
+            version = prevKnown + 1;
+            lastKnownVersion = version;
+            syncState = 'synced';
+        }
+        else {
+            version = prevKnown;
+            lastKnownVersion = prevKnown;
+            syncState = 'pending';
+        }
+        await writeMeta(this.#dataDir, tenant, shardId, path, {
+            version,
+            lastKnownVersion,
+            syncState,
+            deleted: true,
+        });
+        if (role === 'primary')
+            await this.#tick.bump(tenant);
+    }
+    // ---------- Mode B — applyFromPeer ----------
+    async applyFromPeer(tenant, input) {
+        const { shardId, path, content, incomingVersion, expectedLocalVersion, origin } = input;
+        const prev = await readMeta(this.#dataDir, tenant, shardId, path);
+        const prevVersion = typeof prev?.version === 'number' ? prev.version : 0;
+        const prevState = prev?.syncState;
+        if (!prev) {
+            await this.#overwriteFromPeer(tenant, shardId, path, content, incomingVersion, origin, input.deleted);
+            return { applied: true, version: incomingVersion };
+        }
+        if (prevState === 'synced') {
+            if (prevVersion === expectedLocalVersion) {
+                await this.#overwriteFromPeer(tenant, shardId, path, content, incomingVersion, origin, input.deleted);
+                return { applied: true, version: incomingVersion };
+            }
+            return { applied: false, reason: 'stale' };
+        }
+        if (prevState === 'pending') {
+            const localContent = (await this.read(tenant, shardId, path)) ?? '';
+            await this.#conflicts.append(tenant, shardId, path, {
+                origin: 'local',
+                version: prevVersion,
+                content: localContent,
+                at: Date.now(),
+            });
+            await this.#conflicts.append(tenant, shardId, path, {
+                origin,
+                version: incomingVersion,
+                content: typeof content === 'string' ? content : content.toString('utf-8'),
+                at: Date.now(),
+            });
+            const merged = { ...(prev ?? {}), syncState: 'conflict' };
+            await writeMeta(this.#dataDir, tenant, shardId, path, merged);
+            return { applied: false, reason: 'conflict' };
+        }
+        // prevState === 'conflict'
+        await this.#conflicts.append(tenant, shardId, path, {
+            origin,
+            version: incomingVersion,
+            content: typeof content === 'string' ? content : content.toString('utf-8'),
+            at: Date.now(),
+        });
+        return { applied: false, reason: 'conflict-extended' };
+    }
+    async #overwriteFromPeer(tenant, shardId, path, content, version, origin, deleted) {
+        const cp = this.#contentPath(tenant, shardId, path);
+        if (deleted) {
+            try {
+                await rm(cp);
+            }
+            catch (err) {
+                if (err?.code !== 'ENOENT')
+                    throw err;
+            }
+        }
+        else {
+            await mkdir(dirname(cp), { recursive: true });
+            await writeFile(cp, content);
+        }
+        const policy = await this.#policy.get(tenant);
+        const syncMode = resolveSyncMode(policy, path);
+        await writeMeta(this.#dataDir, tenant, shardId, path, {
+            version,
+            lastKnownVersion: version,
+            syncMode,
+            syncState: 'synced',
+            origin,
+            lastSyncedAt: Date.now(),
+            ...(deleted ? { deleted: true } : {}),
+        });
+        // Primary accepting a push advances tick; replica pulling doesn't.
+        if (this.roles.get(tenant) === 'primary')
+            await this.#tick.bump(tenant);
+    }
+    // ---------- conflicts ----------
+    async listConflicts(tenant) {
+        return this.#conflicts.list(tenant);
+    }
+    async readConflict(tenant, shardId, path) {
+        return this.#conflicts.read(tenant, shardId, path);
+    }
+    async resolveConflict(tenant, shardId, path, choice) {
+        const cf = await this.#conflicts.read(tenant, shardId, path);
+        if (!cf)
+            return;
+        let content;
+        if (choice === 'local') {
+            const branch = cf.branches.find((b) => b.origin === 'local');
+            if (!branch)
+                throw new Error('No local branch to resolve');
+            content = branch.content;
+        }
+        else if (typeof choice === 'string') {
+            const branch = cf.branches.find((b) => b.origin === choice);
+            if (!branch)
+                throw new Error(`No branch with origin ${choice}`);
+            content = branch.content;
+        }
+        else {
+            content = choice;
+        }
+        // Clear the conflict FIRST so the subsequent write doesn't see stale state.
+        await this.#conflicts.clear(tenant, shardId, path);
+        // Force syncState back to 'synced' baseline so Mode A write can transition normally.
+        const prev = (await readMeta(this.#dataDir, tenant, shardId, path)) ?? {};
+        await writeMeta(this.#dataDir, tenant, shardId, path, { ...prev, syncState: 'synced' });
+        await this.write(tenant, shardId, path, content);
+    }
+}

package/dist/doc-store/tick.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Per-tenant monotonic tick counter. Lives at
+ *   {dataDir}/docs/<tenant>/__sync__/tick.json  => { tick: number, bumpedAt: number }
+ *
+ * Incremented on every version-advancing write. Never decreases. Persisted
+ * synchronously before write acknowledgement. In-memory cached after first read.
+ */
+export declare class TickCounter {
+    #private;
+    constructor(dataDir: string);
+    get(tenant: string): Promise<number>;
+    bump(tenant: string): Promise<number>;
+}

package/dist/doc-store/tick.js

@@ -0,0 +1,52 @@
+/**
+ * Per-tenant monotonic tick counter. Lives at
+ *   {dataDir}/docs/<tenant>/__sync__/tick.json  => { tick: number, bumpedAt: number }
+ *
+ * Incremented on every version-advancing write. Never decreases. Persisted
+ * synchronously before write acknowledgement. In-memory cached after first read.
+ */
+import { readFile, writeFile, mkdir } from 'node:fs/promises';
+import { dirname, join } from 'node:path';
+export class TickCounter {
+    #dataDir;
+    #byTenant = new Map();
+    constructor(dataDir) {
+        this.#dataDir = dataDir;
+    }
+    async get(tenant) {
+        if (this.#byTenant.has(tenant))
+            return this.#byTenant.get(tenant);
+        const loaded = await this.#load(tenant);
+        this.#byTenant.set(tenant, loaded);
+        return loaded;
+    }
+    async bump(tenant) {
+        const current = await this.get(tenant);
+        const next = current + 1;
+        this.#byTenant.set(tenant, next);
+        await this.#persist(tenant, next);
+        return next;
+    }
+    #path(tenant) {
+        return join(this.#dataDir, 'docs', tenant, '__sync__', 'tick.json');
+    }
+    async #load(tenant) {
+        try {
+            const raw = await readFile(this.#path(tenant), 'utf-8');
+            const parsed = JSON.parse(raw);
+            return typeof parsed.tick === 'number' && Number.isFinite(parsed.tick)
+                ? Math.max(0, Math.floor(parsed.tick))
+                : 0;
+        }
+        catch (err) {
+            if (err?.code === 'ENOENT')
+                return 0;
+            throw err;
+        }
+    }
+    async #persist(tenant, value) {
+        const p = this.#path(tenant);
+        await mkdir(dirname(p), { recursive: true });
+        await writeFile(p, JSON.stringify({ tick: value, bumpedAt: Date.now() }));
+    }
+}

package/dist/fs-backend.d.ts

@@ -6,5 +6,5 @@
  *
  * where docsDir = <dataDir>/docs
  */
-import type { DocumentBackend } from 'sh3-core/server-sync';
+import type { DocumentBackend } from 'sh3-core';
 export declare function createFsDocumentBackend(dataDir: string): DocumentBackend;

package/dist/index.d.ts

@@ -29,6 +29,7 @@ export declare function createServer(options?: ServerOptions): Promise<{
     users: UserStore;
     sessions: SessionStore;
     settings: SettingsStore;
+    docStore: import("./doc-store/store.js").TenantDocStore;
     start(): Promise<void>;
 }>;
 export { KeyStore } from './keys.js';

package/dist/index.js

@@ -24,11 +24,13 @@ import { createAuthRouter } from './routes/auth.js';
 import { createBootRouter } from './routes/boot.js';
 import { createAdminRouter } from './routes/admin.js';
 import { createDocsRouter } from './routes/docs.js';
+import { createTenantDocStore } from './doc-store/index.js';
 import { createEnvStateRouter } from './routes/env-state.js';
 import { createKeysRouter } from './routes/keys.js';
 import { loadPackages, scanPackages, servePackageBundles, createPackageManagementRoutes } from './packages.js';
-import { createFsDocumentBackend } from './fs-backend.js';
-import { ShardRouter, buildShardCtx } from './shard-router.js';
+import { removeLegacyGrants } from './migrations/sync-grants.js';
+import { ShardRouter, adminOnly } from './shard-router.js';
+import { scopeRequired, tenantRequired } from './scope.js';
 import { registerTenantFsRoutes } from './tenant-fs/index.js';
 import shellShardServer from './shell-shard/index.js';
 export async function createServer(options = {}) {
@@ -48,8 +50,6 @@ export async function createServer(options = {}) {
     const keys = new KeyStore(dataDir);
     const users = new UserStore(dataDir);
     const settings = new SettingsStore(dataDir);
-    // Server-side document backend (used by ctx.sync / ctx.syncRegistry on server shards)
-    const documentBackend = createFsDocumentBackend(dataDir);
     // --no-auth: disable auth enforcement (Tauri sidecar / local-owner mode)
     if (options.noAuth) {
         settings.update({ auth: { required: false, guestAllowed: true } });
@@ -114,11 +114,14 @@ export async function createServer(options = {}) {
     app.route('/api/boot', createBootRouter(sessions, users, settings));
     // Auth endpoints (login, logout, register, verify)
     app.route('/api/auth', createAuthRouter(keys, users, sessions, settings));
-    // Document backend API
-    app.route('/api/docs', createDocsRouter(dataDir));
     // --- Session-gated routes ---
     app.use('/api/*', sessionAuth(sessions, settings));
     app.use('/api/*', resolveCaller(keys));
+    // Document backend API — gated by sessionAuth + resolveCaller (mounted above).
+    // The router itself enforces tenantParamMatch and the __-prefix reservation.
+    // Settings is threaded so tenantParamMatch respects open / no-auth mode.
+    const docStore = createTenantDocStore(dataDir);
+    app.route('/api/docs', createDocsRouter(docStore, settings));
     // Environment state API (per-shard server-backed config)
     app.route('/api/env-state', createEnvStateRouter(dataDir));
     // User-tenant key management (list/revoke). Mint lives at /api/shards-keys.
@@ -179,7 +182,7 @@ export async function createServer(options = {}) {
     app.use('/api/packages/install', adminAuth(sessions, keys, settings));
     app.use('/api/packages/uninstall', adminAuth(sessions, keys, settings));
     const frameworkShardIds = ['__sh3core__', 'shell', 'sh3-store', 'sh3-admin'];
-    app.route('/api/packages', createPackageManagementRoutes(shardRouter, dataDir, keys, settings, wsRegister, documentBackend, frameworkShardIds));
+    app.route('/api/packages', createPackageManagementRoutes(shardRouter, dataDir, keys, settings, wsRegister, docStore, frameworkShardIds));
     // Serve client bundles from discovered packages
     servePackageBundles(app, dataDir, settings);
     // Framework built-in: shell-shard server routes.
@@ -198,9 +201,15 @@ export async function createServer(options = {}) {
         const shellDataDir = join(shellPkgDir, 'data');
         mkdirSync(shellDataDir, { recursive: true });
         const shellSubApp = new Hono();
-        const shellPermissions = [];
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        await shellShardServer.routes(shellSubApp, buildShardCtx('shell', shellDataDir, shellPermissions, keys, settings, wsRegister, documentBackend));
+        await shellShardServer.routes(shellSubApp, {
+            shardId: 'shell',
+            dataDir: shellDataDir,
+            permissions: [],
+            adminOnly: adminOnly(keys, settings),
+            scopeRequired,
+            tenantRequired,
+            wsRegister,
+        });
         app.route('/api/shell', shellSubApp);
     }
     // Framework-level tenant filesystem API — read-only, jailed to each user's documents.
@@ -223,7 +232,9 @@ export async function createServer(options = {}) {
         users,
         sessions,
         settings,
+        docStore,
         async start() {
+            removeLegacyGrants(dataDir);
             // First-boot: generate admin key + admin user
             if (keys.isEmpty()) {
                 const initial = keys.generate({ label: 'Initial admin key', tenantId: null, ownerUserId: null, mintedByShardId: null, scopes: ['admin:*'] });
@@ -254,7 +265,7 @@ export async function createServer(options = {}) {
                     console.log(`[sh3] Seeded official registry: ${registryUrl}`);
                 }
             }
-            await loadPackages(shardRouter, dataDir, keys, settings, wsRegister, documentBackend);
+            await loadPackages(shardRouter, dataDir, keys, settings, wsRegister, docStore);
             // Periodic session cleanup (every 15 minutes)
             setInterval(() => sessions.cleanup(), 15 * 60 * 1000);
             // API 404
@@ -277,6 +288,14 @@ export async function createServer(options = {}) {
                 console.log(`sh3-server listening on http://localhost:${port}`);
             });
             injectWebSocket(server);
+            const shutdown = async (sig) => {
+                console.log(`[sh3] received ${sig}, tearing down shards...`);
+                await shardRouter.unmountAll();
+                server.close();
+                process.exit(0);
+            };
+            process.on('SIGINT', () => { void shutdown('SIGINT'); });
+            process.on('SIGTERM', () => { void shutdown('SIGTERM'); });
         },
     };
 }

package/dist/keys.d.ts

@@ -17,7 +17,8 @@ export interface ApiKey {
     ownerUserId: string | null;
     mintedByShardId: string | null;
     scopes: string[];
-    connectorId?: string;
+    peerRole?: 'primary' | 'replica';
+    peerId?: string;
     createdAt: string;
     expiresAt?: string;
 }
@@ -28,7 +29,8 @@ export interface GenerateInput {
     ownerUserId: string | null;
     mintedByShardId: string | null;
     scopes: string[];
-    connectorId?: string;
+    peerRole?: 'primary' | 'replica';
+    peerId?: string;
     expiresAt?: string;
 }
 export declare class KeyStore {

package/dist/keys.js

@@ -38,7 +38,8 @@ export class KeyStore {
             ownerUserId: input.ownerUserId,
             mintedByShardId: input.mintedByShardId,
             scopes: [...input.scopes],
-            connectorId: input.connectorId,
+            peerRole: input.peerRole,
+            peerId: input.peerId,
             createdAt: new Date().toISOString(),
             expiresAt: input.expiresAt,
         };
@@ -123,7 +124,14 @@ export class KeyStore {
             return;
         try {
             const raw = JSON.parse(readFileSync(p, 'utf-8'));
-            this.#admin.push(...raw);
+            const dirty = raw.some((row) => 'connectorId' in row);
+            const cleaned = raw.map((row) => {
+                const { connectorId: _drop, ...rest } = row;
+                return rest;
+            });
+            this.#admin.push(...cleaned);
+            if (dirty)
+                this.#saveAdmin();
         }
         catch {
             // Corrupt admin file — leave empty; the next generate() overwrites.
@@ -142,7 +150,14 @@ export class KeyStore {
                 continue;
             try {
                 const raw = JSON.parse(readFileSync(file, 'utf-8'));
-                this.#byTenant.set(tenantId, raw);
+                const dirty = raw.some((row) => 'connectorId' in row);
+                const cleaned = raw.map((row) => {
+                    const { connectorId: _drop, ...rest } = row;
+                    return rest;
+                });
+                this.#byTenant.set(tenantId, cleaned);
+                if (dirty)
+                    this.#saveTenant(tenantId);
             }
             catch {
                 this.#byTenant.set(tenantId, []);

package/dist/migrations/sync-grants.d.ts

@@ -0,0 +1,7 @@
+/**
+ * ADR-019 §11.2: retire the legacy `grants/` namespace under the reserved
+ * `__sync__` shard id for every tenant. Idempotent; safe to run on every
+ * boot. Other `__sync__/` subdirectories are out of scope here — they
+ * disappear when the sync runtime is rebuilt in sh3-server.
+ */
+export declare function removeLegacyGrants(dataDir: string): void;

package/dist/migrations/sync-grants.js

@@ -0,0 +1,27 @@
+/**
+ * ADR-019 §11.2: retire the legacy `grants/` namespace under the reserved
+ * `__sync__` shard id for every tenant. Idempotent; safe to run on every
+ * boot. Other `__sync__/` subdirectories are out of scope here — they
+ * disappear when the sync runtime is rebuilt in sh3-server.
+ */
+import { existsSync, readdirSync, rmSync } from 'node:fs';
+import { join } from 'node:path';
+export function removeLegacyGrants(dataDir) {
+    const docsDir = join(dataDir, 'docs');
+    if (!existsSync(docsDir))
+        return;
+    const tenants = readdirSync(docsDir, { withFileTypes: true })
+        .filter((e) => e.isDirectory())
+        .map((e) => e.name);
+    let removed = 0;
+    for (const tenant of tenants) {
+        const grants = join(docsDir, tenant, '__sync__', 'grants');
+        if (existsSync(grants)) {
+            rmSync(grants, { recursive: true, force: true });
+            removed += 1;
+        }
+    }
+    if (removed > 0) {
+        console.log(`[sh3] migration: removed legacy __sync__/grants/ for ${removed} tenant(s)`);
+    }
+}

package/dist/packages.d.ts

@@ -3,10 +3,9 @@ import type { KeyStore } from './keys.js';
 import type { SettingsStore } from './settings.js';
 import { ShardRouter } from './shard-router.js';
 import type { MountContext } from './shard-router.js';
+import type { TenantDocStore } from './doc-store/index.js';
 /** Type of the `wsRegister` factory field from MountContext. */
 type WsRegister = MountContext['wsRegister'];
-/** Type of the `documentBackend` field from MountContext. */
-type DocumentBackend = MountContext['documentBackend'];
 export interface DiscoveredPackage {
     id: string;
     type: string;
@@ -21,7 +20,7 @@ export interface DiscoveredPackage {
  * For each valid package, mount server routes (if server.js exists) and
  * return the full list of discovered packages.
  */
-export declare function loadPackages(shardRouter: ShardRouter, dataDir: string, keys: KeyStore, settings: SettingsStore, wsRegister: WsRegister, documentBackend: DocumentBackend): Promise<DiscoveredPackage[]>;
+export declare function loadPackages(shardRouter: ShardRouter, dataDir: string, keys: KeyStore, settings: SettingsStore, wsRegister: WsRegister, docStore: TenantDocStore): Promise<DiscoveredPackage[]>;
 /**
  * Re-scan `<dataDir>/packages/` and return metadata for all valid packages.
  * Unlike `loadPackages`, this does NOT mount server routes — it only reads
@@ -54,5 +53,5 @@ export declare function validateRequiredShards(manifest: Record<string, unknown>
  * Returns a Hono router with POST /install and POST /uninstall.
  * Protected by the blanket `/api/*` auth middleware already applied upstream.
  */
-export declare function createPackageManagementRoutes(shardRouter: ShardRouter, dataDir: string, keys: KeyStore, settings: SettingsStore, wsRegister: WsRegister, documentBackend: DocumentBackend, frameworkShardIds?: string[]): Hono;
+export declare function createPackageManagementRoutes(shardRouter: ShardRouter, dataDir: string, keys: KeyStore, settings: SettingsStore, wsRegister: WsRegister, docStore: TenantDocStore, frameworkShardIds?: string[]): Hono;
 export {};